b'            valuation\n\n\n             eport\n\n     INFORMATION ASSURANCE AT CENTRAL DESIGN ACTIVITIES\n\n\nReport No. D-2001-046                         February 7, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD\n  Home Page at: www.dodig.osd.mil or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAIS                   Automated Information System\nCDA                   Central Design Activity\nDAA                   Designated Approving Authority\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nDISA                  Defense Information Systems Agency\nIT                    Information Technology\nOMB                   Office of Management and Budget\nSRR                   Security Readiness Review\nSTIG                  Security Technical Implementation Guide\n\x0c\x0c                        Office of the Inspector General, DoD\n  Report No. D-2001-046                                             February 7, 2001\n     (Project No. D2000PT-0121)\n     (Formerly Project No. 0PT-0112)\n\n               Information Assurance at Central Design Activities\n\n                                 Executive Summary\n\nIntroduction. For the purpose of this evaluation, a Central Design Activity is defined\nas a designated organization (or segment thereof) within a component that, at a\nminimum, has responsibility for designing, converting, coding, testing, documenting,\nor subsequently maintaining or modifying computer operating or applications software\nfor use at more than one location. For this evaluation, we visited an Army, a Navy,\nand an Air Force Central Design Activity.\n\nCentral Design Activities use software development environments to develop and\nmaintain the software for which they are responsible. A software development\nenvironment is an automated information system that provides an integrated suite of\ntools to aid the development of software in a particular language or for a particular\napplication.\n\nInformation assurance comprises the operations to protect and defend information and\ninformation systems by ensuring their availability, integrity, authentication,\nconfidentiality, and nonrepudiation. Information assurance includes providing for\nrestoration of information systems by incorporating protection, detection, and reaction\ncapabilities.\n\nObjectives. This evaluation had two objectives. The first objective was to determine\nwhether information assurance policies and management controls were working to\nprotect the software development environments and software libraries the Central\nDesign Activities use for DoD software development and maintenance. The second\nobjective was to evaluate whether the controls the Central Design Activities have in\nplace ensure that the DoD systems developed and maintained by the Central Design\nActivities do not contain malicious code.\n\nResults. The three Central Design Activities we visited had not certified or accredited\ntheir software development environments as required by DoD policy. In addition,\nthose Central Design Activities did not participate in the accreditation of software\ndevelopment environments created for them and housed at Defense Information\nSystems Agency facilities. As a result, there is an increased risk of unauthorized access\nto and modification of DoD software (finding A).\n\nThe management controls were inadequate to detect and remove malicious code from\nsome software products in development at the three Central Design Activities we\nvisited. As a result, those Central Design Activities cannot ensure that software\nproduced by them does not contain malicious code (finding B).\n\x0cSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) update DoD\nInstruction 5200.40 to explicitly include software development environments as systems\nthat need to be certified and accredited; establish a program of guidance and oversight\nto ensure the certification and accreditation of software development environments;\nestablish a performance measure for designated approving authorities to report the\naccreditation status of software development environments; and hold periodic reviews\nof that performance measure, with the goal of 100 percent accreditation.\n\nWe recommend that the Commander, Defense Information Systems Agency Western\nHemisphere, require Defense Enterprise Computing Center Commanders to fully\ninvolve Central Design Activity user representatives in the certification and\naccreditation process for software development environments that the Defense\nInformation Systems Agency provides for Central Design Activities as well as provide\nCentral Design Activity Commanders the details of any vulnerabilities discovered\nduring the accreditation.\n\nWe also recommend that the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) update DoD policy to require that the development\nand maintenance of DoD software include a review of each new and changed line of\nfinal source code to deter, detect, and remove any malicious code.\n\nManagement Comments. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) partially concurred with the recommendations and\ninitiated several actions that meet their intent. The Defense Information Systems\nAgency concurred with the recommendations and directed the Defense Enterprise\nComputing Centers to involve the Central Design Activities in the Security Readiness\nReview process and to provide them the results of the reviews. The Assistant Secretary\nconcurred in theory with updating DoD policy to include the review of each new and\nchanged line of code; however, he stated that the implementation would likely exceed\nthe available resources and may require future budgeting before implementation could\nbegin. A discussion of management comments is in the Finding section of the report\nand the complete text is in the Management Comments section.\n\nEvaluation Response. The comments from the Assistant Secretary were partially\nresponsive. We believe the Assistant Secretary\xe2\x80\x99s proposed actions to determine\nmeasurements for the management of DoD software development environments and to\nreview certification and accreditation procedures and status of DoD software\ndevelopment environments meet the intent of the recommendation if continued on a\ncyclic basis. We also believe the formal review of each new and changed line of final\nsource code is practical. The Assistant Secretary needs to establish a time-phased\napproach to ensure the certification and accreditation of the DoD Component and DoD\ncontractor software development environments, and provide a time-phased approach to\nupdating DoD policy to require that the development and maintenance of DoD software\ninclude a review of each new and changed line of final source code. We request that\nthe Assistant Secretary provide additional comments by April 9, 2001.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\nIntroduction\n     Background                                                           1\n     Objectives                                                           2\n\nFindings\n     A. Software Development Environment Security                         3\n     B. Malicious Code Detection                                          9\n\nAppendixes\n     A. Evaluation Process\n          Scope and Methodology                                          13\n          Management Control Program                                     14\n          Prior Coverage                                                 14\n     B. Military Department Central Design Activities                    16\n     C. Effective Development Practices                                  17\n     D. Report Distribution                                              18\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and Intelligence)                                                 21\n     Defense Information Systems Agency                                  24\n     Department of the Army                                              27\n\x0cBackground\n    Central Design Activities. For the purpose of this evaluation, a Central Design\n    Activity (CDA) is defined as a designated organization (or segment thereof)\n    within a component that, at a minimum, has responsibility for designing,\n    converting, coding, testing, documenting, or subsequently maintaining or\n    modifying computer operating or applications software for use at more than one\n    location. The Army, the Navy, and the Air Force have a total of 17 CDAs. A\n    list of those CDAs is provided in Appendix B. For this evaluation, we visited\n    an Army, a Navy, and an Air Force CDA. We visited the Software\n    Development Center Lee (Army), the Fleet Material Support Office (Navy), and\n    the Materiel Systems Group (Air Force). Other DoD agencies have CDAs also.\n    The Marine Corps, the Defense Finance and Accounting Service, the Director\n    for Information and Technology, and the Defense Logistics Agency list CDA\n    organizations.\n\n            Software Development Center Lee. The Software Development Center\n    Lee in Fort Lee, Virginia, reports to the Army Information Systems Software\n    Center located at Fort Belvoir, Virginia. As one of the largest centralized\n    software development centers within the Army, the Lee center employs more\n    than 200 civilian and military personnel. The Software Development Center\n    Lee is responsible for the development and maintenance of more than 30\n    automated information systems (AISs) for the Army. It produces logistics,\n    engineering, procurement, and subsistence systems for the Army Deputy Chief\n    of Staff for Logistics; the Defense Commissary Agency; the Army\n    Procurement, Research and Analysis Office; and other DoD agencies.\n\n            Fleet Material Support Office. The Fleet Material Support Office in\n    Machanicsburg, Pennsylvania, is a major field activity of the Naval Supply\n    Systems Command. The Fleet Material Support Office has more than 900\n    employees and provides information technology (IT) products and services to\n    the Navy, DoD, and other Federal organizations. Its systems integrate supply,\n    financial, maintenance, procurement, and other logistics functions through\n    networks, telecommunications, and interrelated databases.\n\n           Materiel Systems Group. The Materiel Systems Group in Dayton,\n    Ohio, is a direct reporting unit of the Electronic Systems Center, Air Force\n    Materiel Command, Hanscom Air Force Base, Massachusetts. The Materiel\n    Systems Group supports the Air Force information goals through acquiring,\n    developing, maintaining, reengineering, and providing technical services for\n    information systems. The Materiel Systems Group has 576 employees and\n    manages more than 160 of the Air Force Materiel Command\xe2\x80\x99s logistics\n    information systems.\n\n    Software Development Environments. A software development environment\n    is an AIS that includes the facilities, hardware, software, firmware, procedures,\n    and documentation needed to perform software development. A software\n    development environment includes all networks and systems used for\n    development or maintenance of a project\xe2\x80\x99s software. The CDAs use software\n    development environments to develop and maintain the software for which they\n                                        1\n\x0c     are responsible. A software development environment provides an integrated\n     suite of tools to aid the development of software in a particular language or for a\n     particular application. Usually, the tools consist of a compiler and editor and\n     may include a debugger and source code manager. The software development\n     environment may also include computer-aided software engineering (CASE)\n     tools, simulators, documentation tools, database management systems, and\n     operating systems.\n\n     Information Assurance. Information assurance comprises the operations to\n     protect and defend information and information systems by ensuring their\n     availability, integrity, authentication, confidentiality, and nonrepudiation.\n     Information assurance includes providing for restoration of information systems\n     by incorporating protection, detection, and reaction capabilities.\n\n     Information can be erased or become inaccessible, resulting in loss of\n     availability. When information is modified in unexpected ways, the result is a\n     loss of integrity. A loss of integrity occurs when unauthorized changes are\n     made to information, whether by human error or intentional tampering. To\n     make information available to those who need it and who can be trusted with it,\n     organizations use authentication and authorization. Confidentiality is lost when\n     an unauthorized person is allowed to read or copy classified information.\n     Security is strong when the means of authentication cannot later be refuted,\n     which is known as nonrepudiation.\n\n\nObjectives\n     This evaluation had two objectives. The first was to determine whether\n     information assurance policies and management controls were working to\n     protect the software development environments and software libraries the CDAs\n     use for DoD software development and maintenance. The second was to\n     evaluate whether the controls the CDAs have in place ensure that the DoD\n     systems developed and maintained by the CDAs do not contain malicious code.\n     See Appendix A for a discussion of the scope and methodology and prior\n     coverage.\n\n\n\n\n                                          2\n\x0c           A. Software Development Environment\n              Security\n           The three CDAs we visited had not certified or accredited their software\n           development environments as required by DoD policy. In addition, the\n           CDAs did not participate in the accreditation of software development\n           environments created for them and housed at Defense Information\n           Systems Agency (DISA) facilities. Those problems occurred because of\n           a lack of management oversight of software development environment\n           security. As a result, there is an increased risk of unauthorized access to\n           and modification of DoD software.\n\n\nPolicy Requirements for Software Development Environment\n  Security\n    Office of Management and Budget Circular A-130. The Paperwork\n    Reduction Act of 1980, Public Law 96-511, establishes the Office of\n    Management and Budget (OMB) as responsible for developing information\n    security policies and overseeing agency practices. The OMB provided guidance\n    for agencies in OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal\n    Automated Information Resources,\xe2\x80\x9d February 8, 1996. Since 1985, that\n    circular has directed agencies to implement an adequate level of security for all\n    AISs, ensuring effective and accurate operations as well as continuity of\n    operations for systems that support critical agency functions.\n\n    The OMB Circular A-130, Appendix III, also specifies that a management\n    official should authorize in writing the use of each system before beginning or\n    significantly changing the use of the system. By authorizing use of a system, a\n    manager accepts the risks associated with it.\n\n    DoD Directive 5200.28. DoD Directive 5200.28, \xe2\x80\x9cSecurity Requirements for\n    Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1998, provides mandatory,\n    minimum AIS security requirements and specifies that more stringent\n    requirements may be necessary for selected systems based on an assessment of\n    acceptable levels of risk. It stresses the importance of a life-cycle management\n    approach to implementing computer security requirements and applies to\n    systems processing unclassified, sensitive-but-unclassified, and classified\n    information. DoD Directive 5200.28 specifies that the accreditation of an AIS\n    be supported by a certification plan, a risk analysis of the AIS in its operational\n    environment, an evaluation of the security safeguards, and a certification report,\n    all approved by the Designated Approving Authority (DAA). DoD\n    Directive 5200.28 states that the AIS developer is responsible for ensuring the\n    early and continuous involvement of the users, information system security\n    officers, data owners, and DAAs in defining and implementing security\n    requirements of the AIS. The directive also requires an evaluation plan for the\n    AIS that shows progress toward meeting full compliance with stated security\n    requirements and safeguards.\n\n                                         3\n\x0c    DoD Instruction 5200.40. DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\n    Technology Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d\n    December 30, 1997, (the DITSCAP) establishes a DoD standard infrastructure-\n    centric approach that protects and secures the Defense Information\n    Infrastructure. The activities presented in the DITSCAP standardize the\n    certification and accreditation process. The four-phase process considers the\n    system mission, environment, and architecture while assessing the impact of\n    operation of that system on the Defense Information Infrastructure.\n\n    The DITSCAP applies to the acquisition, operation, and sustainment of any\n    DoD system that collects, stores, transmits, or processes unclassified or\n    classified information. It applies to any IT or information system life cycle,\n    including the development of new IT systems, the development of prototype IT\n    systems, the reconfiguration or upgrade of existing systems, and legacy systems.\n    The key to the DITSCAP is the agreement between the IT system program\n    manager, the DAA, the Certifying Authority, and the user representative.\n    Those managers resolve critical schedule, budget, security, functionality, and\n    performance issues. Resolution of those issues is documented in the System\n    Security Authorization Agreement that is used to guide and document the results\n    of the certification and accreditation process. The objective is to use the System\n    Security Authorization Agreement to establish a binding agreement on the level\n    of security required before system development begins or before changes to a\n    system are made.\n\n    Phase 3 of the process, the Validation phase, includes activities to evaluate the\n    fully integrated system operating in a specified computing environment with an\n    acceptable level of residual risk.\n\n\nAccreditation of CDA-Housed Software Development\n  Environments\n    None of the three CDAs we visited, Army Software Development Center Lee,\n    Navy Fleet Material Support Office, and Air Force Materiel Systems Group,\n    had developed System Security Authorization Agreements for their software\n    development environments. Two of the three CDAs, Fleet Material Support\n    Office and Materiel Systems Group, had not accredited their software\n    development environments, and the third, Software Development Center Lee,\n    had an expired accreditation letter. The Fleet Material Support Office DAA had\n    signed an Interim Authority to Operate on December 2, 1999, that was not\n    based on any formal process or risk assessment. Only one of the three CDAs,\n    Software Development Center Lee, conducted periodic security exercises or\n    vulnerability assessments to determine the adequacy of security measures and to\n    identify security deficiencies. In summary, none of the three CDAs had\n    accredited their software development environments nor could they provide the\n    System Security Authorization Agreements, which document the certification\n    and accreditation process results required by DITSCAP, for their software\n    development environments.\n\n                                         4\n\x0cAccreditation of DISA-Housed Software Development\n  Environments\n    The Navy Fleet Material Support Office and the Air Force Materiel Systems\n    Group used software development environments that were housed at DISA\n    facilities.\n\n    The Navy Fleet Material Support Office Interim Authority to Operate did not\n    include the DISA housed mainframe software development environments. The\n    Navy CDA considered the operation of the mainframe to be a DISA\n    responsibility.\n\n    The Air Force Materiel Systems Group\xe2\x80\x99s software development environments\n    housed in DISA facilities were covered by a DISA site accreditation, but that\n    accreditation process did not include user representatives from the CDA, as\n    required by the DITSCAP. DISA provided the Air Force CDA with a copy of\n    the site accreditation letters for the DISA facilities, but did not provide\n    information on vulnerabilities discovered during the accreditation process.\n    DISA performed periodic vulnerability assessments using its Security Technical\n    Implementation Guides (STIGs) and documented the results in a Security\n    Readiness Review (SRR). DISA provided a summary of the results to the DISA\n    DAA and a copy of the SRR to the DISA facility commander. DISA did not\n    provide a copy of the SRR to the CDA and did not inform the CDA of the\n    results of the SRR or any potential risks to the software development\n    environments. The inclusion of the CDA user representative in the accreditation\n    process could lead to identifying additional potential security vulnerabilities of\n    the software development environments.\n\n\nConsequences of Not Certifying and Accrediting Software\n  Development Environments\n    The consequence of not conducting certification and accreditation on each\n    software development environment is that the unique risks involved in operating\n    each software development environment were not fully assessed. Without a\n    comprehensive risk assessment and adjudication of those risks by the DAA,\n    there is no balance of risk versus operational need and the system has the\n    potential of operating at an unacceptable level of risk. That could lead to a\n    number of problems, including unauthorized access to the software development\n    environment, alteration or destruction of the software libraries, and use of the\n    software development environment to exploit vulnerabilities of the network or of\n    other systems connected to the network.\n\n\n\n\n                                        5\n\x0c            Importance of Software Development Environment Security\n\n\n      Software Development\n                                                Operational System\n      Environment\n\n\n\n\n        Source Code Libraries                        Operational\n        Baseline Libraries                             Data\n\n\n\n      User Software\n                                                 User Software\n      Networks\n                                                 Networks\n      Compiler, Editor, etc.\n                                                 Application Software\n      Operating System\n                                                 Operating System\n\n\n\n\n    The figure illustrates that the software development environment is the system\n    that supports development, builds the release materials used to deploy the new\n    operational system, and protects the operational system while in development or\n    maintenance. Just as the operational data depends on the security of the\n    operational system, the confidentiality and integrity of the operational system\n    software depends on the security of the software development environment.\n\n\nRecommendations, Management Comments, and Evaluation\n  Response\n    A.1. We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence):\n\n           a. Update DoD Instruction 5200.40 to explicitly include software\n    development environments as systems that need to be certified and\n    accredited.\n\n            b. Establish a program of guidance and oversight to ensure the\n    certification and accreditation of DoD Component and DoD contractor\n    software development environments.\n\n\n\n                                       6\n\x0c      c. Establish a performance measure for designated approving\nauthorities to report the certification and accreditation status of DoD\nComponent and DoD contractor software development environments.\n\n       d. Hold periodic reviews of that performance measure, with the goal\nof 100 percent accreditation.\n\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) Comments. The Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) stated that the Software\nManagement Office and the Defense-Wide Information Assurance Program are\nworking in a coordinated effort to review all appropriate policies and, where\nnecessary, will update those policies to address information assurance. The\nreview will also include the possible insertion of software development\nenvironment certification and accreditation language. The Assistant Secretary\nagreed that a program of guidance and oversight to ensure the certification and\naccreditation of DoD Component and DoD contractor software development\nenvironments should exist. However, the DoD Chief Information Office does\nnot have the resources nor the consent of the DoD Components for the operation\nof such a program. The DoD Chief Information Office will examine the\nfeasibility and resources needed for a software development environment\naccreditation effort within the Software Management Office. The Software\nManagement Office established a Software Metrics Integrated Product Team to\ndetermine what measurements are necessary for the adequate management of\nDoD software development environments. The Integrated Product Team will\nassign designated approving authorities to report the certification and\naccreditation status of DoD Component and DoD contractor software\ndevelopment environments as a part of the team\xe2\x80\x99s overall effort to improve\nsoftware management. The Software Management Office, in cooperation with\nthe Defense-Wide Information Assurance Program, will review certification and\naccreditation procedures and status of DoD Component and DoD contractor\nsoftware development environments with a goal of 100 percent accreditation.\n\nEvaluation Response. The Assistant Secretary\xe2\x80\x99s proposed actions meet the\nintent of Recommendations A.1.a., A.1.c., and A.1.d. The DoD Chief\nInformation Office\xe2\x80\x99s examination of the feasibility and resources needed for a\nsoftware development environment accreditation effort does not fully meet the\nintent of recommendation A.1.b. However, we believe that the proposed\nactions of assigning designated approving authorities to report the certification\nand accreditation status and the cooperative efforts of the Software Management\nOffice and the Defense-Wide Information Assurance Program to review and\nmaintain reports on the certification and accreditation status of DoD Component\nand DoD contractor software development environments would meet the intent\nof recommendation A.1.b. if continued on a cyclic basis.\n\nIn response to the final report, we request that the Assistant Secretary provide\nthe estimated date those policies will be updated with software development\nenvironment certification and accreditation language; the estimated date the\nSoftware Metrics Integrated Product Team will assign designated approving\nauthorities to report the certification and accreditation status of DoD Component\nand DoD contractor software development environments; the estimated\n\n                                    7\n\x0ccompletion date for the certification and accreditation procedures and status\nreview; and the estimated completion dates for a time-phased approach to ensure\nthe certification and accreditation of the DoD Component and DoD contractor\nsoftware development environments.\n\nArmy Comments. Although not required to comment, the Army Materiel\nCommand nonconcurred with the recommendation to require accreditation of\nCentral Design Activities because the Central Design Activities do not have\nfixed hardware and software configurations.\n\nEvaluation Response. The recommendation was intended for the certification\nand accreditation of the systems used by the Central Design Activities for\ndevelopment and maintenance of DoD software, not for the Central Design\nActivities as a whole.\nA.2. We recommend that the Commander, Defense Information Systems\nAgency Western Hemisphere, require Defense Enterprise Computing\nCenter Commanders to:\n\n        a. Fully involve Central Design Activity user representatives in the\ncertification and accreditation process for software development\nenvironments that the Defense Information Systems Agency provides for\nCentral Design Activities.\n\n       b. Provide Central Design Activity Commanders the details of any\nvulnerabilities discovered during the accreditation of software development\nenvironments that the Defense Information Systems Agency provides for\nCentral Design Activity customers.\n\nDefense Information Systems Agency Comments. The Defense Information\nSystems Agency concurred, stating that a memorandum from the Chief,\nOperations Division, will be issued to the Defense Enterprise Computing\nCenters and Detachments, directing that the Central Design Activities be\ninvolved in the Security Readiness Review process and that the results obtained\nfrom the reviews be provided to the Central Design Activities and other\ncustomers of the platforms.\n\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) Comments. The Assistant Secretary stated that the DoD Chief\nInformation Office will request quarterly progress and status reports be sent\nfrom DISA to the Software Management Office and that the two offices will\ncontinue to work closely with each other.\n\n\n\n\n                                   8\n\x0c           B. Malicious Code Detection\n           The management controls were inadequate to detect and remove\n           malicious code from some software products in development at the three\n           CDAs we visited. Controls were inadequate because the development\n           teams did not review final source code for malicious code and because\n           DoD policy does not address malicious code detection and removal. As\n           a result, the CDAs cannot ensure that software produced by them does\n           not contain malicious code.\n\n\nMalicious Code\n    Source Code. A programmer writes a program in a particular programming\n    language. This form of the program is called the source program or, more\n    generically, source code. Source code is the only format that is readable by\n    humans. When you purchase programs, you usually receive them in their\n    machine-language format. That means you can execute the programs directly,\n    but you cannot read or modify them.\n\n    Malicious Code. The National Information Systems Security (INFOSEC)\n    Glossary defines malicious code as software or firmware capable of performing\n    an unauthorized function on an information system. Malicious code includes\n    viruses, worms, Trojan horses, logic bombs, and other \xe2\x80\x9cuninvited\xe2\x80\x9d software.\n\n    Risk of Malicious Code. In the world of personal computers, \xe2\x80\x9cEaster eggs\xe2\x80\x9d\n    are the name given creative gimmicks that programmers have hidden inside\n    some popular desktop applications and hardware. They are called Easter eggs\n    after the U.S. tradition of parents hiding eggs for their children to find. As\n    programmers\xe2\x80\x99 work is often uncredited, they may sneak their names into the\n    programs with Easter eggs.\n    By definition, Easter eggs are not damaging; however, Trojan horses, logic\n    bombs, worms, and other malicious code can be hidden just as easily and later\n    activated to cause damage to the system or to data. It is just as simple to put in\n    a backdoor to a computer system, allowing unauthorized access at a later date\n    for anything from stealing funds to spying. Once installed, malicious code is\n    extremely hard to find because it can be small and hidden in the application.\n    Detection methods require access to the source code, tools, experience with the\n    programming language, and system knowledge.\n\n\nMalicious Code Policy\n    We could find no DoD policy reference to \xe2\x80\x9cMalicious Code.\xe2\x80\x9d However, asset\n    protection and data integrity are frequently referenced. DoD Directive 5010.38,\n    \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996, requires each DoD\n    component to implement a comprehensive system of management controls that\n\n                                         9\n\x0c    provides reasonable assurance that assets are safeguarded against waste, loss,\n    unauthorized use, and misappropriation. DoD Directive 5200.28 requires\n    safeguards to be in place to detect and minimize inadvertent modification or\n    destruction of data and to detect and prevent malicious destruction or\n    modification of data. The CDA software libraries are DoD assets and the\n    source code they contain are data.\n\n\nControls for Detecting and Removing Malicious Code\n    The three CDAs we visited had weak physical access controls to the\n    programmer work areas. There were good procedures for adding and removing\n    software development environment users, but no process that verified that the\n    access list was correct and that the access activity was as expected. We\n    evaluated projects where team passwords could be captured and used by\n    someone else, tools were not used to highlight code changes, and code reviews\n    checked only selected modules for correct function. In summary, the\n    management controls on those projects were inadequate to deter, detect, and\n    remove malicious code.\n\n    Effective Detection Practices. A software development organization with a\n    repeatable and defined development process uses commercial tools, documented\n    processes, and trained teams to consistently produce quality software. It uses\n    separation of duties and development practices to limit the opportunities for\n    malicious code to be inserted without detection. The following development\n    practices help deter and detect malicious code.\n\n           \xe2\x80\xa2   Configuration management tools and procedures.\n\n           \xe2\x80\xa2   Formal peer reviews.\n\n           \xe2\x80\xa2   Coding standards checking.\n\n           \xe2\x80\xa2   New and changed code reviews.\n\n           \xe2\x80\xa2   Software quality assurance monitoring.\n\n    See Appendix C for details on those development practices.\n\n    An Example of a Good Process. We interviewed one project team with very\n    good management control processes, though they were project specific and not\n    consistent throughout the CDA. There was open access to the programmer\n    work areas, but the servers with the software libraries were in locked rooms.\n    At the start of each maintenance cycle, the last version of the system is used to\n    create a test environment. When the code required an update, a design\n    document was created with a description of the changes to be made to the code.\n    After approval of the design document, the code to be changed was copied from\n    the test environment to a floppy disk for the programmer. The code on the\n    floppy is the only code that the programmer can change, though the programmer\n    has read-only access to the entire test environment.\n\n                                       10\n\x0c    The programmer then completes the necessary changes and returns the floppy\n    with the new code to the lead programmer. The new code is then compared to\n    the original code using a text compare tool that highlights the changes. The lead\n    programmer checks that the changes described in the design document were\n    made and that no additional changes took place. The lead programmer uploads\n    the new code to the test environment where it is tested for operation errors.\n    After the new version is tested, the test environment is uploaded to the baseline\n    library and the new baseline saved to compact disk. Access to the baseline\n    library is limited to the lead programmer and an assistant. Virus detection runs\n    every 2 hours on the test environment and the baseline. A security log is kept to\n    track hacking attempts.\n\n    Using a floppy to provide the programmers the code that they update effectively\n    limits programmers\xe2\x80\x99 access to only their assigned modules and compensates for\n    the lack of physical access controls. The current lead programmer had been\n    working on that project\xe2\x80\x99s system for many years and had reviewed nearly all of\n    the system\xe2\x80\x99s code. The lead programmer would detect any malicious code when\n    reviewing the changed code, which is a deterrent to the entry of malicious code.\n\n\nSummary\n    Programmer access controls were weak in most cases. Therefore, there was a\n    need for controls over code changes to be robust, but most were not. Even so,\n    code review teams reviewing each new and changed line of the final source code\n    could have detected and removed malicious code. However, this was not done\n    consistently. As a result, the CDAs cannot ensure that their software products\n    do not contain malicious code.\n\n\nRecommendation, Management Comments, and Evaluation\n  Response\n    B. We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) update DoD policy to require\n    that the development and maintenance of DoD software include a review of\n    each new and changed line of final source code to deter, detect, and remove\n    any malicious code.\n\n    Management Comments. The Assistant Secretary concurred with the\n    recommendation in theory. The Assistant Secretary stated that the\n    implementation of this recommendation would likely exceed the resources of the\n    Central Design Activities, the program managers, and the Component Chief\n    Information Offices. The Software Management Office will examine the\n    feasibility of the code inspection tools and applications that can review each new\n    and changed line of final source code for malicious code; however, such tools\n    may not be adequate to the task or may require future budgeting before\n\n\n                                        11\n\x0cimplementation could occur. In addition, the Assistant Secretary stated that a\nformal review of source code in commercial off-the-shelf products is not\npossible.\n\nEvaluation Response. The Assistant Secretary\xe2\x80\x99s comments were not fully\nresponsive. The formal review of each new and changed line of final source\ncode is possible and practical. Some project teams already perform malicious\ncode reviews. Project teams could also include malicious code review in their\nformal peer reviews, if the reviewed source code was saved and protected.\nThere are configuration management and other inspection tools available that\ncan identify new and changed lines of source code by comparison of current\nversions to saved versions. Only the first code baseline would need a complete\nreview. We agree that commercial off-the-shelf software products cannot be\nreviewed in the same way; however, known commercial off-the-shelf\nvulnerabilities are currently tracked and reported by the Computer Emergency\nResponse Teams and the National Institute of Standards and Technology. In\nresponse to the final report, we request that the Assistant Secretary reconsider\nhis comments and provide a time-phased approach to implementing the\nrecommendation.\n\n\n\n\n                                   12\n\x0cAppendix A. Evaluation Process\n\nScope and Methodology\n    Work Performed. We reviewed and evaluated information assurance controls\n    for software development environments at three CDAs. At the selected CDAs,\n    we evaluated the implemented policy and general controls that protect software\n    development environments and software libraries used to develop and maintain\n    DoD systems. We also evaluated the controls that the CDAs had in place to\n    identify and remove malicious code. We developed a questionnaire to help\n    collect information and documentation from the CDAs. We also selected two\n    active projects at each CDA and met with the project teams. We used the\n    questionnaire responses and discussions with officials from the CDAs to\n    evaluate their controls for protecting their software development environments\n    and software libraries. We used the discussions with the project teams to\n    evaluate the controls in place to identify and remove malicious code.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    (GPRA) Coverage. In response to the GPRA, the Secretary of Defense\n    annually establishes DoD-wide corporate level goals, subordinate performance\n    goals, and performance measures. This report pertains to achievement of the\n    following goal:\n\n           FY 2000 DoD Corporate Level Goal 2: Prepare now for an uncertain\n           future by pursuing a focused modernization effort that maintains U.S.\n           qualitative superiority in key warfighting capabilities. Transform the\n           force by exploiting the Revolution in Military Affairs, and reengineer the\n           Department to achieve a 21st century infrastructure. (00-DoD-2)\n\n    DoD Functional Area Reform Goals. Most DoD functional areas have also\n    established performance improvement reform objectives and goals. This report\n    pertains to achievement of the following functional area objectives and goals:\n\n           \xe2\x80\xa2 Information Technology Management Area. Objective: Ensure\n             DoD\xe2\x80\x99s vital information resources are secure and protected.\n             Goal: Build information assurance framework. (ITM-4.1)\n\n           \xe2\x80\xa2 Information Technology Management Area. Objective: Ensure\n             DoD\xe2\x80\x99s vital information resources are secure and protected.\n             Goal: Build information assurance architecture and supporting\n             services. (ITM-4.2)\n\n           \xe2\x80\xa2 Information Technology Management Area. Objective: Ensure\n             DoD\xe2\x80\x99s vital information resources are secure and protected.\n             Goal: Improve acquisition processes and regulations. (ITM-4.3)\n\n\n\n\n                                       13\n\x0c           \xe2\x80\xa2 Information Technology Management Area. Objective: Ensure\n             DoD\xe2\x80\x99s vital information resources are secure and protected.\n             Goal: Assess information assurance posture of DoD operational\n             systems. (ITM-4.4)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Management and Technology high-risk area.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this evaluation.\n\n    Evaluation Type, Dates, and Standards. We performed this economy and\n    efficiency evaluation from November 1999 through July 2000 in accordance\n    with standards implemented by the Inspector General, DoD.\n    Contacts During the Evaluation. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n\nManagement Control Program\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, requires DoD organizations to implement a comprehensive system of\n    management controls that provides reasonable assurance that programs are\n    operating as intended and to evaluate the adequacy of the controls.\n\n    Scope of Review of Management Controls. We did not review the\n    management control program related to the overall evaluation objectives because\n    DoD recognized Information Assurance as a material management control\n    weakness area in the FY 1999 Annual Statement of Assurance. However, we\n    did review the adequacy of management controls for protecting software\n    development environments used by the CDAs to develop and maintain DoD\n    software (see the Finding section).\n\n\nPrior Coverage\n    No prior coverage directly related to our evaluation objectives has been\n    conducted during the last 5 years. However, there have been numerous reports\n    related to information assurance in general. Two Inspector General, DoD,\n    reports summarize all of the General Accounting Office and DoD audit reports\n    issued on information assurance from January 1, 1995, through March 31,\n    2000. Unrestricted Inspector General, DoD, reports can be accessed over the\n    Internet at http://www.dodig.osd.mil/audit/reports.\n\n\n\n\n                                       14\n\x0cInspector General, DoD\n     Inspector General, DoD, Report No. D-2000-124, \xe2\x80\x9cInformation Assurance\n     Challenges\xe2\x80\x94A Summary of Audit Results Reported December 1, 1998, through\n     March 31, 2000,\xe2\x80\x9d May 15, 2000.\n\n     Inspector General, DoD, Report No. 99-069, \xe2\x80\x9cSummary of Audit Results\xe2\x80\x94DoD\n     Information Assurance Challenges,\xe2\x80\x9d January 22, 1999.\n\n\n\n\n                                    15\n\x0cAppendix B. Military Department Central\n            Design Activities\n\nCentral Design Activities\n     For the purpose of this evaluation, a CDA is defined as a designated\n     organization (or segment thereof) within a component that, at a minimum, has\n     responsibility for designing, converting, coding, testing, documenting, or\n     subsequently maintaining or modifying computer operating or applications\n     software for use at more than one location.\n\n     While each Military Department\xe2\x80\x99s definition of a CDA may vary slightly from\n     the definition above, they each identified their CDAs (see table below) and\n     noted that they had other software development groups that were not CDAs.\n     Those other software development groups are not considered CDAs because\n     they support software only for the business area organization they belong to, as\n     opposed to more than one location as our definition of CDAs requires.\n\n                        Military Department Central Design Activities\n\n             Army\n               Logistics Systems Support Center\n               Industrial Logistics Systems Center\n               Software Development Center Washington\n               Software Development Center Lee\n               Army Total Personnel Command\n\n             Navy\n               Bureau of Naval Personnel\n               Fleet Material Support Office\n               Naval Aviation Depot Operations Center\n               Naval Computer and Telecommunications Area Master Station,\n                  Atlantic\n               Naval Computer and Telecommunications Station, Jacksonville\n               Naval Computer and Telecommunications Station, Pensacola\n               Naval Computer and Telecommunications Station, Washington\n               Naval Education and Training Professional Development and\n                  Technology Center\n               Naval Reserve Information Systems Office\n\n             Air Force\n                Materiel Systems Group\n                Standard Systems Group\n\n\n\n\n                                        16\n\x0cAppendix C. Effective Development Practices\n   A software development organization with a repeatable and defined development\n   process uses commercial tools, documented processes, and trained teams to\n   ensure it produces quality software. It uses separation of duties and\n   development practices to limit the opportunities for malicious code to be inserted\n   without detection. The following are some of the development practices used to\n   guard against the insertion of malicious code.\n\n   Configuration Management Tools and Procedures. Configuration\n   management is the means by which the content, change, or status of shared\n   information within a project is managed and controlled. The purpose of\n   configuration management is to establish and maintain the integrity and control\n   of software products. No new code can be written without a change\n   authorization. Configuration management tools also limit access to final\n   versions of code.\n\n   Formal Peer Reviews. Configuration management and formal peer review are\n   software development best practices identified by the DoD Software Acquisition\n   Best Practices Initiative. Formal peer reviews use a trained team approach to\n   ensure that the program design is correctly implemented. Technical\n   documentation and code are inspected. Formal peer reviews can eliminate\n   approximately 80 percent of all software defects.\n\n   Coding Standards Checking. Depending on the computer language, there are\n   software tools that can analyze source code to check that programming standards\n   have been followed, that all variables are used, and that there is no dead\n   (inaccessible) code. Use of standards checking tools can quickly identify code\n   that does not follow organizational coding standards.\n\n   New and Changed Code Reviews. The change management features of a\n   configuration management tool or a separate text compare tool can highlight the\n   changes in an updated module by comparing it to the original baseline module.\n   Changes can then be reviewed for code defects, standards violations, and\n   malicious code.\n\n   Software Quality Assurance Monitoring. Software quality assurance consists\n   of an independent team of people that monitors changes to the baseline\n   throughout the development process. Software quality assurance involves\n   regular reviews throughout the development process to ensure that any defects\n   built into the code are detected as early as possible. The software quality\n   assurance team works to verify the implementation of standards and processes\n   that would help detect malicious code.\n\n\n\n\n                                       17\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense, Deputy Chief Information Officer\n  Deputy Assistant Secretary of Defense, Security and Information Operations\n      Director, Infrastructure and Information Assurance\n      Director, Policy Integration and Operations\n\nJoint Staff\nDirector, Joint Staff\n  Director, Operations\n  Director, Command, Control, Communications, and Computers\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nCommanding General, Army Communications and Electronics Command\n  Commander, Software Development Center Lee\nAuditor General, Department of the Army\n\nDepartment of the Navy\nCommander, Naval Supply Systems Command\n  Commanding Officer, Fleet Material Support Office\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nCommander, Air Force Materiel Command\n   Executive Director, Materiel Systems Group\nInspector General, Department of the Air Force\nAuditor General, Department of the Air Force\n\n\n\n\n                                         18\n\x0cOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n   Commander, Defense Information Systems Agency Western Hemisphere\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligence Agency\nInspector General, National Imagery and Mapping Agency\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\n  Office of the Information and Regulatory Affairs\nGeneral Accounting Office\n  Director, Defense Information and Financial Management Systems, Accounting and\n      Information Management Division\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\n\n\n\n\n                                       19\n\x0c\x0cAssistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments\n\n\n\n\n                      21\n\x0c22\n\x0c23\n\x0cDefense Information Systems Agency\nComments\n\n\n\n\n                  24\n\x0c25\n\x0c26\n\x0cDepartment of the Army Comments\n\n\n\n\n                 27\n\x0cFinal Report\nReference\n\n\n\n\nRevised\nPage 16\n\n\n\n\n               28\n\x0c29\n\x0cEvaluation Team Members\n   The Audit Followup and Technical Support Directorate, Office of the Assistant\n   Inspector General for Auditing, DoD, prepared this report. Personnel of the\n   Office of the Inspector, DoD, who contributed to the report are listed below.\n\n     David A. Brinkman\n     Kenneth H. Stavenjord\n     Dan B. Convis\n     Michael D. Walker\n     Benzad B. Akavan\n     James B. Mitchell\n     Kevin W. Klein\n\x0c'